MicrosoftDocs
diff --git a/‎articles/defender-for-cloud/TOC.yml
Lines changed: 15 additions & 5 deletions b/‎articles/defender-for-cloud/TOC.yml
Lines changed: 15 additions & 5 deletions
diff --git a/‎articles/defender-for-cloud/advanced-configurations-for-malware-scanning.md
Lines changed: 198 additions & 0 deletions b/‎articles/defender-for-cloud/advanced-configurations-for-malware-scanning.md
Lines changed: 198 additions & 0 deletions
diff --git a/‎articles/defender-for-cloud/defender-for-storage-azure-portal-enablement.md
Lines changed: 64 additions & 0 deletions b/‎articles/defender-for-cloud/defender-for-storage-azure-portal-enablement.md
Lines changed: 64 additions & 0 deletions
@@ -674,14 +674,24 @@
       items:
       - name: Protect your storage with Defender for Storage
         href: tutorial-enable-storage-plan.md
-      - name: Additional configurations for Defender for Storage
-        href: ../storage/common/azure-defender-storage-configure.md?toc=/azure/defender-for-cloud/toc.json
       - name: Required permissions
         href: support-matrix-defender-for-storage.md
-      - name: Setting up response to Malware Scanning
+      - name: Enable Defender for Storage
+        items:
+        - name: Enable with the Azure policy (recommended)
+          href: defender-for-storage-policy-enablement.md
+        - name: Enable with Infrastructure as Code
+          href: defender-for-storage-infrastructure-as-code-enablement.md
+        - name: Enable with REST API
+          href: defender-for-storage-rest-api-enablement.md
+        - name: Enable with the Azure portal
+          href: defender-for-storage-azure-portal-enablement.md  
+      - name: Advanced configurations for malware scanning
+        href: advanced-configurations-for-malware-scanning.md
+      - name: Setup response to malware scanning
         href: defender-for-storage-configure-malware-scan.md
-      - name: Test and run a Proof of Concept
-        href: defender-for-storage-test.md
+      - name: Test and run a proof of concept
+      href: defender-for-storage-test.md
     - name: List of security threats and security alerts
       href: defender-for-storage-threats-alerts.md
     - name: Common questions about Defender for Storage
 
@@ -0,0 +1,198 @@
+---
+title: Microsoft Defender for Storage - advanced configurations for malware scanning
+description: Learn about the advanced configurations of Microsoft Defender for Storage malware scanning
+ms.date: 08/08/2023
+author: dcurwin
+ms.author: dacurwin
+ms.topic: conceptual
+---
+
+# Advanced configurations for malware scanning 
+
+Malware Scanning can be configured to send scanning results to the following:
+
+- **Event Grid custom topic** - for near-real time automatic response based on every scanning result.
+- **Log Analytics workspace** - for storing every scan result in a centralized log repository for compliance and audit.
+
+Learn more on how to [set up response for malware scanning](/azure/defender-for-cloud/defender-for-storage-configure-malware-scan) results.
+
+> [!TIP]
+> We recommend you try the [Ninja training instructions](https://github.com/Azure/Microsoft-Defender-for-Cloud/blob/main/Labs/Modules/Module%2019%20-%20Defender%20for%20Storage.md), a hands-on lab, to try out malware scanning in Defender for Storage, using detailed step-by-step instructions on how to test malware scanning end-to-end with setting up responses to scanning results. This is part of the 'labs' project that helps customers get ramped up with Microsoft Defender for Cloud and provides hands-on practical experience with its capabilities.
+
+## Setting up logging for malware scanning
+
+For each storage account enabled with malware scanning, you can define a Log Analytics workspace destination to store every scan result in a centralized log repository that is easy to query.
+
+:::image type="content" source="media/azure-defender-storage-configure/log-analytics-settings.png" alt-text="Screenshot showing where to configure a Log Analytics destination for scan log." lightbox="media/azure-defender-storage-configure/log-analytics-settings.png":::
+
+Before sending scan results to Log Analytics, [create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) or use an existing one.
+
+To configure the Log Analytics destination, navigate to the relevant storage account, open the **Microsoft Defender for Cloud** tab, and select the settings to configure.
+
+This configuration can be performed using REST API as well:
+
+Request URL:
+
+```
+PUT
+https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{accountName}/providers/Microsoft.Security/DefenderForStorageSettings/current/providers/Microsoft.Insights/diagnosticSettings/service?api-version=2021-05-01-preview
+```
+Request Body:
+
+```
+{
+    "properties": {
+        "workspaceId": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroup}/providers/microsoft.operationalinsights/workspaces/{workspaceName}",
+        "logs": [
+            {
+                "category": "ScanResults",
+                "enabled": true,
+                "retentionPolicy": {
+                    "enabled": true,
+                    "days": 180
+                }
+            }
+        ]
+    }
+}
+```
+
+## Setting up Event Grid for malware scanning
+
+For each storage account enabled with malware scanning, you can configure to send every scan result using an Event Grid event for automation purposes.
+
+1. To configure Event Grid for sending scan results, you'll first need to create a custom topic in advance. Refer to the Event Grid documentation on creating custom topics for guidance. Ensure that the destination Event Grid custom topic is created in the same region as the storage account from which you want to send scan results.
+
+1. To configure the Event Grid custom topic destination, go to the relevant storage account, open the **Microsoft Defender for Cloud** tab, and select the settings to configure.
+
+> [!NOTE]
+> When you set an Event Grid custom topic, you should set **Override Defender for Storage subscription-level settings” to **On** to make sure it overrides the subscription-level settings.
+
+:::image type="content" source="media/azure-defender-storage-configure/event-grid-settings.png" alt-text="Screenshot that shows where to enable an Event Grid destination for scan logs." lightbox="media/azure-defender-storage-configure/event-grid-settings.png":::
+
+This configuration can be performed using REST API as well:
+
+Request URL:
+
+```
+PUT
+https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{accountName}/providers/Microsoft.Security/DefenderForStorageSettings/current?api-version=2022-12-01-preview
+```
+
+Request Body:
+
+```
+{ 
+    "properties": { 
+        "isEnabled": true, 
+        "malwareScanning": { 
+            "onUpload": { 
+                "isEnabled": true, 
+                "capGBPerMonth": 5000 
+            }, 
+            "scanResultsEventGridTopicResourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.EventGrid/topics/{EventGridTopicName}" 
+        }, 
+        "sensitiveDataDiscovery": { 
+            "isEnabled": true 
+        }, 
+        "overrideSubscriptionLevelSettings": true 
+    } 
+}
+```
+## Override Defender for Storage subscription-level settings
+
+The subscription-level settings inherit Defender for Storage settings on each storage account in the subscription. Use Override Defender for Storage subscription-level settings to configure settings for individual storage accounts different from those configured on the subscription level.
+
+Overriding the settings of the subscriptions are usually used for the following scenarios:
+
+- Enable/disable the Malware Scanning or the Data sensitivity threat detection features.
+- Configure custom settings for Malware Scanning.
+- Disable Microsoft Defender for Storage on specific storage accounts.
+
+> [!NOTE] 
+> We recommend that you enable Defender for Storage on the entire subscription to protect all existing and future storage accounts in it. However, there are some cases where you would want to exclude specific storage accounts from Defender protection. If you've decided to exclude, follow the steps below to use the override setting and then disable the relevant storage account. If you are using Defender for Storage (classic), you can also [exclude storage accounts](defender-for-storage-classic-enable.md).
+
+### Azure portal
+
+To configure the settings of individual storage accounts different from those configured on the subscription level using the Azure portal:
+
+1. Sign in to the Azure portal.
+
+1. Navigate to your storage account that you want to configure custom settings.
+
+1. In the storage account menu, in the **Security + networking** section, select **Microsoft Defender for Cloud**.
+
+1. Select **Settings** in Microsoft Defender for Storage.
+
+1. Set the status of **Override Defender for Storage subscription-level settings** (under Advanced settings) to **On**. This ensures that the settings are saved only for this storage account and will not be overrun by the subscription settings.
+
+1. Configure the settings you want to change:
+
+    1. To enable malware scanning or sensitive data threat detection, set the status to **On**.
+
+    1. To modify the settings of malware scanning:
+
+        1. Switch the **On-upload malware scanning** to **On** if it’s not already enabled.
+
+        1. To adjust the monthly threshold for malware scanning in your storage accounts, you can modify the parameter called **Set limit of GB scanned per month** to your desired value. This parameter determines the maximum amount of data that can be scanned for malware each month, specifically for each storage account. If you wish to allow unlimited scanning, you can uncheck this parameter. By default, the limit is set at 5,000 GB.
+
+
+1. To disable Defender for Storage on this storage account, set the status of Microsoft Defender for Storage to **Off**.
+
+    :::image type="content" source="media/azure-defender-storage-configure/defender-for-storage-settings.png" alt-text="Screenshot that shows where to turn off Defender for Storage in the Azure portal." lightbox="media/azure-defender-storage-configure/defender-for-storage-settings.png":::
+
+    Select **Save**.
+
+### REST API
+
+To configure the settings of individual storage accounts different from those configured on the subscription level using REST API:
+
+Create a PUT request with this endpoint. Replace the subscriptionId, resourceGroupName, and accountName in the endpoint URL with your own Azure subscription ID, resource group and storage account names accordingly.
+
+Request URL:
+
+```
+PUT
+https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/providers/Microsoft.Security/DefenderForStorageSettings/current?api-version=2022-12-01-preview
+```
+
+Request Body:
+
+```
+{
+    "properties": {
+        "isEnabled": true,
+        "malwareScanning": {
+            "onUpload": {
+                "isEnabled": true,
+                "capGBPerMonth": 5000
+            }
+        },
+        "sensitiveDataDiscovery": {
+            "isEnabled": true
+        },
+        "overrideSubscriptionLevelSettings": true
+    }
+}
+```
+
+1. To enable malware scanning or sensitive data threat detection, set the value of isEnabled to **true** under the relevant features.
+
+1. To modify the settings of malware scanning, edit the relevant fields under onUpload, make sure the value of isEnabled is **true**. If you want to permit unlimited scanning, assign the value -1 to the capGBPerMonth parameter.
+
+1. To disable Defender for Storage on this storage accounts, use the following request body:
+
+    ```
+    {
+        "properties": {
+            "isEnabled": false,
+            "overrideSubscriptionLevelSettings": true
+        }
+    }
+    ```
+
+Make sure you add the parameter `overrideSubscriptionLevelSettings` and its value is set to **true**. This ensures that the settings are saved only for this storage account and will not be overrun by the subscription settings.
+
+## Next steps
+
+Learn more about [malware scanning settings](defender-for-storage-malware-scan.md).
@@ -0,0 +1,64 @@
+---
+title: Enable and configure the Defender for Storage plan at scale using the Azure portal
+description: Learn how to enable the Defender for Storage on your Azure subscription for Microsoft Defender for Cloud using the Azure portal.
+ms.topic: install-set-up-deploy
+author: AlizaBernstein
+ms.author: v-bernsteina
+ms.date: 08/15/2023
+---
+
+# Enable and configure with the Azure portal
+
+We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all current and future storage accounts in the subscription are protected.
+
+> [!TIP]
+> You can always [configure specific storage accounts](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#override-defender-for-storage-subscription-level-settings) with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings).
+
+## [Enable on a subscription (recommended)](#tab/enable-subscription/)
+
+To enable Defender for Storage at the subscription level using the Azure portal:
+
+1. Sign in to the Azure portal.
+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
+1. Select the subscription for which you want to enable Defender for Storage.
+
+    :::image type="content" source="media/defender-for-storage-malware-scan/azure-portal-enablement-subscription.png" alt-text="Screenshot that shows where to select the subscription." lightbox="media/defender-for-storage-malware-scan/azure-portal-enablement-subscription.png":::
+
+1. On the Defender plans page, locate **Storage** in the list and select **On** and **Save**. If you currently have Defender for Storage enabled with per-transaction pricing, select the **New pricing plan available** link and confirm the pricing change.
+
+    :::image type="content" source="media/defender-for-storage-malware-scan/azure-portal-enablement-turn-on.png" alt-text="Screenshot that shows where to turn on Storage plan." lightbox="media/defender-for-storage-malware-scan/azure-portal-enablement-turn-on.png":::
+
+Microsoft Defender for Storage is now enabled for this subscription, and is fully protected, including on-upload malware scanning and sensitive data threat detection.
+
+If you want to turn off the on-upload malware scanning or sensitive data threat detection, you can select **Settings** and change the status of the relevant feature to **Off** and save the changes.
+
+If you want to change the malware scanning size capping per storage account per month for malware, change the settings in **Edit configuration** and save the changes.
+
+If you want to disable the plan, turn status button to **Off** for the Storage plan on the Defender plans page and save the changes.
+
+## [Enable on a storage account](#tab/enable-storage-account/)
+
+To enable and configure Microsoft Defender for Storage for a specific account using the Azure portal:
+
+1. Sign in to the Azure portal.
+1. Navigate to your storage account.
+In the storage account menu, in the **Security + networking** section, select **Microsoft Defender for Cloud**.
+1. On-upload Malware Scanning and Sensitive data threat detection are enabled by default. You can disable the features by unselecting them.
+1. Select  **Enable on storage account**. Microsoft Defender for Storage is now enabled on this storage account.
+
+    :::image type="content" source="media/defender-for-storage-malware-scan/azure-portal-enablement-on-storage-account.png" alt-text="Screenshot that shows where to enable the storage account." lightbox="media/defender-for-storage-malware-scan/azure-portal-enablement-on-storage-account.png":::
+
+    > [!TIP]
+    > To configure On-upload malware scanning settings, such as monthly capping, select Settings after Defender for Storage was enabled.
+
+If you want to disable Defender for Storage on the storage account or disable one of the features (on-upload malware scanning or Sensitive data threat detection), select **Settings**, edit the settings, and select **Save**.
+
+---
+
+> [!TIP]
+> Malware Scanning can be configured to send scanning results to the following: <br>  **Event Grid custom topic** - for near-real time automatic response based on every scanning result. Learn more how to [configure malware scanning to send scanning events to an Event Grid custom topic](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-event-grid-for-malware-scanning). <br> **Log Analytics workspace** - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to [configure malware scanning to send scanning results to a Log Analytics workspace](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-logging-for-malware-scanning).
+
+## Next steps
+
+- Learn how to [enable and Configure the Defender for Storage plan at scale with an Azure built-in policy](defender-for-storage-policy-enablement.md).
+- Learn more on how to [set up response for malware scanning](defender-for-storage-configure-malware-scan.md) results.